Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

badger.foo writes "The OpenBSD 4.7 pre-orders are up. That means the release is done, sent off to CD production, and snapshots will turn -current again. Order now and you more likely than not will have your CD set, T-shirt or other cool stuff before the official release date. You get the chance to support the most important free software project on the planet, and get your hands on some cool playables and wearables early. The release page is still being filled in, but the changelog has detailed information about the goodies in this release."

Darwin is a member of the BSD family. The XNU kernel originally was a single server Mach microkenel running a 4BSD kernel. The Mach components are now reduced and most of the kernel code is either from FreeBSD or from Apple, but it's as much of a BSD descendent as OpenBSD. The Mach part of the kernel manages threads and memory, nothing else. The UNIX process model, all UNIX system calls, SysV and POSIX IPC, the networking stack, and so on all run in the BSD server. On OS X, unlike some earlier Mach systems, the BSD server lives in the kernel's address space and accounts for most of the ring-0 code that an OS X system is running.

On top of the XNU kernel, Darwin has a userland that gets a lot from FreeBSD, but some things from other sources. The init system is Launchd, which is a home-grown Apple system (now open sourced). The libc is from FreeBSD, but quite modified. The libstdc++, standard shell, and a couple of other things are from the GNU project.

OS X is Darwin with a lot of proprietary stuff on top (the audio stack and windowing system, for example).

They're basically the only major operating system project that gives a damn about security. Sure, Linux, for instance, is better than Windows when it comes to security. But that's only because Microsoft has fucked up Windows' security so badly.

The OpenBSD developers, on the other hand, are proactive about security. Their coding practices and extensive code reviews prevent bugs and security problems in the first place.

IIS doesn't really run as any specific user. The packet router, HTTP.sys, runs as LocalSystem. However the thread processing the request changes its security context very early in the request processing to a low priviledged account.

That's a minor quibble of contention. Seriously. It's barely making note of, unless you can identify how Windows Server 2003 is different than XP (aside from the crippling of Terminal Services and the number of connections allowed). Otherwise, they are pretty much the exact same thing.

the fact that the user can migrate from one system to another without having to relearn the GUI and system management options isn't a fault, it's fucking technical victory linux BSD would do well to learn from.

Any PC that is new enough to still be running its original power supply can run some incarnation of Windows 7.

You forget the fact that windows 7 screwed with drivers severely. We have seven different generations of computers in my department bought through the last thee years (it were several smaller university departments that were joined together, that's the reason of so many purchases), from 3-year hp desktops to 6-month asus notebooks.

NOT A SINGLE ONE OF THEM has all the drivers required for normal operation. You name it: 512mb radeon video cards which run with no 3d, no network, no wifi (my personal machine ha

I have an ATI X300 in my laptop, which is creeping up on being 5 years old. It works fine in Windows 7, with all the 3D and all the bling, using ATI's "legacy" drivers, which (incidentally) were just updated a few weeks ago.

It also worked fine with Vista drivers, before ATI had an official release supporting 7.

*shrug*

The only conclusion I can draw from all of your banter is that you're either incompetent, prejudiced, or both.

But despite the myriads of host, application, and server level exploits for Windows, the default security policies, and generally poor network server capabilities, there's one thing that sticks out in my mind: have there been any exploits for Microsoft's RDP implementation yet?

I realize that older versions of Microsoft products aren't able to upgrade to the newer versions, but I've never seen a "Terminal Services Root Exploit" as I have with OpenSSH. Mayb

Also, incidentally, older versions of RDP were susceptible to man-in-the-middle attacks to grab passwords and inject commands. I think newer versions do some certificate checking to verify the server to which they're connected.

Look. I don't despise Microsoft like most people around here - just a lukewarm pain-in-my-assness. But let's not go pretending that they don't have more holes than Swiss cheese. If you do, you're either too ignorant to comment, or being delibrately obtuse.

But we aren't talking about Linux. We're talking about OpenBSD, arguably the most security conscious operating system in common use today.

While it wouldn't be accurate to say OpenBSD never has any security holes, it is fair to say that remote exploits are exceedingly rare. Since 1996 there have only been two remote exploits in the default install of OpenBSD. While that is as much due to the fact the default install is more locked down than you're realistically going keep your system, that in itself is a

I'll not write as causticly as the AC who also replied, but I'll agree in principal.

One thing that is obvious and well-known is that it doesn't matter that you don't visit "shady" web sites to end up being subject to potential malware infection. Ad companies are letting nasty ads get through whatever controls they have in place. Serious vetting and the talent to implement it costs money, no doubt. I just found this, http://news.cnet.com/8301-27080_3-20000353-245.html [cnet.com]

I have great respect for the OpenBSD folks. Their focus on security was a result of needing to distinguish themselves in the free marketplace. Back in the late 90's it was necessary to focus on something to keep from being lost in the fray. I don't believe it was their altruism that pushed them to that focus as much as they had some good expertise and made the most of it for marketing.
Like I said, I have great respect for them, but let's not put them up on a pedestal that is too high. They have made some

OpenBSD, while is very secure, does owe some, if not a lot, of it's security to security through obscurity.

Security through obscurity? What are you talking about? Name a better documented OS or distro.

New (and not so new) users are well-advised to keep the FAQs [openbsd.org] bookmarked, but the man pages shipped with the distribution are the most comprehensive I've ever seen. Terse, maybe, but complete, and the developers treat errors/omissions seriously.

Maybe you meant security due to small market share? Don't you think that every wannabe cracker out there wants to make a name for himself by rooting a properly configured OpenBSD box?

Just because they created OpenSSH doesn't mean the OS is the most important open source project on the planet.

OpenSSH was a huge improvement in the security of networks the world over, but it's not at all the only thing OpenBSD has contributed to the world.

Certainly, OpenBSD's development of W^X security led to Microsoft doing the same, and Intel/AMD including instructions to make this easier...

OpenBSD's focus on code correctness and licensing has caused them to lead, and have Linux and other BSDs follow... They announced their dropping of Xfree86 in favor of Xorg before anyone else, and very soon after Xfree86 was no longer found on any OSes. Their objections over the performance, code complexity, and licensing of GCC4 led to them pushing alternative compilers forward, and other projects (like FreeBSD) followed suit, pushing hard to move their favored alternative compilers forward.

There's many more, but you'll have to wait for someone else to come up with a list...

Well, we already *had* the original ssh, but it was being weakened by the original author's effort to build a company around it. OpenSSH saved it,

SSH1 was cryptographically weak, wasn't remotely as exploit-free, and much more than that, it wasn't being widely adopted... No SSH in Solaris, Cisco routers, etc., until OpenSSH matured, and showed everyone where the future undeniably was.

Perhaps the biggest thing OpenSSH had going for it, was that it was adopted into the OpenBSD base system immediately, and RSH

While true, this argument misses the point that they are not "the most important free software project on the planet".

It doesn't miss the point at all, it's merely more facts to support the claim. Certainly far from undeniable proof, but the fact that you don't care about the relevant facts just indicates you believe the answer to be a foregone conclusion.

You are basically arguing about a different thing than the rest of us.

It doesn't miss the point at all, it's merely more facts to support the claim. Certainly far from undeniable proof, but the fact that you don't care about the relevant facts just indicates you believe the answer to be a foregone conclusion.

Which, in turn, means you think the answer is a foregone conclusion, as well.Debating the point is moot, but if we assume that we both could err, the statistical chance of "out of n samples, x is the most y" is a lot less than of "out of n samples, x is not the most y".If we assume you can not err, you must be God [slashdot.org] or an OpenBSD person;)

Jokes aside, I am not sure which the most important single piece of FLOSS is or even what scope is the right one and how to weigth the various facts. If someone claims they

Which, in turn, means you think the answer is a foregone conclusion, as well.

False logic. Listening to an argument (or even offering some evidence supporting one) does not presuppose a decision, one way or the other (though one MIGHT infer some bias from it). Dismissing arguments, with no attempt to judge their veracity, immediately indicates prejudice (by definition).

Debating the point is moot, but if we assume that we both could err, the statistical chance of "out of n samples, x is the most y" is a lot

False logic. Listening to an argument (or even offering some evidence supporting one) does not presuppose a decision, one way or the other (though one MIGHT infer some bias from it). Dismissing arguments, with no attempt to judge their veracity, immediately indicates prejudice (by definition).

So, basically, you get to pull the "I did not say that card" while I am stuck with being the evil, headless guy who did not even try to value your arguments? Cool.Just for the record, I read, understood and even made part of the points you made in another subthread. Still, my basic point remains: OpenBSD is, in my opinion, not the single most important FLOSS project. And that's even when you throw in their admirable stance on closed-source firmware.

Yes, you have a statistically better chance of betting against someone, but this is not a bet. We are not operating in lieu of evidence, which substantially improves those odds.

The BSD projects have a great packaging system but it is only used for layered applications. It could certainly be used for the whole system but I think that defeats the "as simple as possible" approach they try to use.

Much of how the BSD systems do things is very "clean" in principle, but in practice sucks the tits right off a cow.

It's so goddamn simple and straigh-forward that it requires an administrator to do one (or more, in combination) of the following:

a) devise an atypical, custom build process for dealing with simple systems administration tasks, upgrades, installs (partially due to the 'simple' approaches not working consistently or being all too finessed).b) writing custom package/kernel/whatever administration

Looks like they include a utility to make life easier when upgrading... looks similar to what Gentoo Linux does when config files are upgraded... new configs are diff'd, and can be interactively merged, etc:"OpenBSD now includes the sysmerge(8) utility, which helps administrators update configuration files after upgrading their system. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and gives you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff. For past upgrades, we've presented a list of files that are usually copied over "as-is", and a list of files which should be changed, and a patch file that applies those changes to what might be in those files on your system. You may opt to use sysmerge to make the changes, or you may wish to use the patch file first, and then follow up with a sysmerge session to clean up any loose ends."

So it looks like they're at least making an effort to make it less painful

Looks like they include a utility to make life easier when upgrading... looks similar to what Gentoo Linux does when config files are upgraded... new configs are diff'd, and can be interactively merged, etc:"OpenBSD now includes the sysmerge(8) utility, which helps administrators update configuration files after upgrading their system. Sysmerge(8) compares the current files on your system with the files that would have been installed with a new install, and gives you the option of keeping the old file, installing the new file, or assisting you in the manual merging of the old and new files, using sdiff. For past upgrades, we've presented a list of files that are usually copied over "as-is", and a list of files which should be changed, and a patch file that applies those changes to what might be in those files on your system. You may opt to use sysmerge to make the changes, or you may wish to use the patch file first, and then follow up with a sysmerge session to clean up any loose ends."

So it looks like they're at least making an effort to make it less painful

Are you kidding me? The upgrade process is for the administrator to manually merge the configuration files!?!?

And this is the improved version? Wow. Just... wow.

I can't believe people here whine about how the Windows 'registry' is somehow the root of all evil, even though the vast majority of Windows apps (and Windows itself) handle version upgrades automatically.

You never found such OS? You should try CentOS, the whole upgrade guide is just 'yum -y update'. It rarely fails, specially if you never did something dumb like installing libraries from sources or such.

The funny thing (to me) is that the upgrade process looks a lot harder than it actually turns out to be. On our servers, it usually amounts to running the installer, running patch to update files in/etc, running a single command to upgrade all the installed 3rd-party software, and rebooting a last time to make sure it comes back up cleanly.

In practice, the things that OpenBSD doesn't automatically upgrade with the above steps are the kinds of things you wouldn't want a script to attempt, such as upgrading the firewall configuration to use new features. The process certainly isn't slick or pretty, but it does the job well and safely.

I agree. The thing generally missed by people who criticize the OpenBSD upgrade process without having actually tried it themselves, is that OpenBSD is so cleanly designed and well documented that it's actually possible to hold a thorough understanding of the operating system in one's head, so to speak. It's like the Arch Linux philosophy [phraktured.net]:

Relying on complex tools to manage and build your system is going to hurt the end users. [...] "If you try to hide the complexity of the system, you'll end up with a mor

FreeBSD in-place upgrades are also very smooth. They have been for as long as I've been using it (since 2.2.5-RELEASE, if I recall correctly). Occasionally, the mergemaster gets a little confusing (there are a lot of config files)... and once in a while I've accidentally replaced a config file I didn't want to... but other than that.:)

See the upgrade guide for upgrading 4.5 to 4.6... it's a 280 line upgrade guide:http://www.openbsd.org/faq/upgrade46.html [openbsd.org]...on RedHat and CentOS, to go from RHEL 5.3 to RHEL 5.4 I did "yum -y update". That's it.

You can just do the OpenBSD upgrade without reading those instructions... as you did with RHEL.

If you'd actually started to read those instructions, you'd have seen they outline basically all feature changes between the previous and current release. See:

scrub in all no-df max-mss 1440

can be replaced with a rule using the new "match" action:

match in all scrub (no-df max-mss 1440)

Did the yum upgrade automatically make all necessary syntax changes in all corner cases in your config files to adapt them for the newest versions of the software? Obviously not... You're left to figure those out yourself. If the new version of iptables uses different options for some obscure option, you're screwed. Oh well, guess you should have read the RHEL 5.4 errata, which happens to be SEVERAL THOUSAND LINES http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Release_Notes/index.html [redhat.com]

Read the bits in bold teletype font. Those are the commands that you need to run. The rest of it is an explanation of what has changed since the last release and how it may affect you. Note also that those are the instructions for remote upgrading. If you have physical access to the machine, just boot from the install kernel + initrd and follow the on-screen instructions.

That said, I'd love it if they'd port the freebsd-update tool. Updating an OpenBSD machine remotely does take a few minutes of int

Yeah, right.Here is MY OpenBSD upgrade guide:1) insert CD, select (U)pgrade.2) once upgrade is finished, enter, as root: "pkg_add -vvv -u -F upgrade"That's it. I have used this for at least the past 5 upgrades.You obviously have no idea what you are talking about.

I wouldn't characterize it as a "mess", but I do notice there are some changes [openbsd.org] to
to pf rules syntax, so some rewriting of your firewall rules might be required.

I've been using OpenBSD since around 2.7. I've come to really trust the judgment of the developers in general, and the pf developers in particular. I've yet to see them break backwards compatibility without good reason.

Seriously! Even for commercial products don't people purchase them electronically? Maybe I'm just so far-removed from the commercial software world that I can't even comprehend this in this day and age... I did order a free Ubuntu CD once, but never even ended up using it because Ubuntu releases so often that there's almost always a newer version the next time you want to install it, and downloading via bittorrent is so fast. Of course I understand for those unlucky folk who are living in the middle of

OpenBSD is also responsible for, among other things, OpenSSH, OpenBGPD, and OpenNTPD -- all three of which are widely adopted and used far, far beyond the sphere of influence of even OpenBSD itself. OpenSSH accounts for some 90% of all SSH deployments world-wide. Whether you know it or not, OpenBSD-related software enables quit a bit of the internet infrastructure.

As good as the Linux kernel is, there are viable replacements with arguably better licensing terms. On the other hand, the likes of OpenSSH are so good (and so widely used) that most people couldn't name a single ssh alternative.

It, along with the rest of the OpenBSD base system, now compiles with PCC. It also compiles with clang and, last benchmarks I saw, performed better when compiled with clang than with GCC. So, I guess the answer to your question is 'better'.

After looking into a replacement for NTPD, OpenNTPD was a terrible option. If I recall correctly, all it did was a very simplistic setting of the time from what the server says. No slewing, no safety mechanisms, etc. I remember reading that it was simply designed for simplicity, not features, but it went way overboard.

My mistake on the use of the term slew; what I meant to get across is that it doesn't do any of the clock-slowing stuff that NTP or chrony does. All it did was get a packet and set the time. I'm pretty sure it didn't do any backing off or the like. I can't find any good references at the moment, but it was jaw-dropping inappropriate, especially for a situation where we have to keep all of our servers within a dozen microseconds or so.

Wrong again. It does do clock slowing or speeding up. Both to get the clock right and to compute a persistent clock frequency adjustment.
It does NOT just set the clock.
I don't know which version on what platform you were testing. Maybe your port was terribly done. But on OpenBSD it works like a charm for almost any purpose.

OpenNTPD does not account for hardware drift, which is what I attempted to describe in my second post. Multiple hits on google for "openntpd hardware drift" support this. Unfortunately the OpenNTPD docs do not say what they don't do with regards to NTPD or chrony, so you don't know what you are missing. Without clock disciplining, all it's really doing is setting the time.

The advogato [post is outdated. Since them quite a few things changed. Look at the code and the manual page:
ntpd uses the adjtime(2) system call to correct the local system time
without causing time jumps. Adjustments of 32ms and greater are logged
using syslog(3). The threshold value is chosen to avoid having local
clock drift thrash the log files. Should ntpd be started with the -d or
-v option, all calls to adjtime(2) will be logged.
After the local clock is synchroni

Fair enough that the situation has improved. Do you know if portable OpenNTP has this functionality? I've read in multiple places that only non-portable version has this functionality; only 4.x and above has disciplining, and portable has been at at 3.9 for since 2006.

I still find it disingenuous that OpenNTP uses the NTP name but does not go to any lengths to indicate what they don't support.

Any way one goes about it, I find little reason to look at openntp in contrast to chrony, which is just as simple

After doing some research and looking at the manpage for openntpd 3.9, the latest portable release, the manpage does not have the documentation you're referring to, leading me to believe that disciplining is only in later versions that only are applicable to OpenBSD. If having any discussion about the benefits of OpenNTPD it should be made clear that disciplining (a feature I consider crucial) is only available on OpenBSD.

TCP/IP, as implemented, is brought to you by BSD. Same with Vi and very many other things. The TCP/IP implementation which won the final DARPA approval was implemented by Bill Joy, mostly by himself (same with the original vi). However, I do agree with you that open standards and specifications are the key.

I'm not saying OpenBSD is "the most important" f/oss project, I'm just saying that OpenBSD in terms of the OpenBSD Foundation and all the projects it oversees really deserves a lot more credit than people usually give it. I don't use OpenBSD itself, but I make my living via FreeBSD as I have via Linux in the past. I still value OpenSSH more than pretty much any other free software project besides maybe gcc, and then there are other compilers like clang and pcc that i'm more intrigued by.

spend some time on the mailing list, you'll see why it's a marginalised project.

the funny thing is i really really wanted to like openbsd, i tried it on some production systems. lack of hardware support, problems with upgrading combined with the 6 month release cycle forcing you into the upgrade senario just made the whole thing too hard.

because after 2 releases they stop making security updates. other OS's go a hell of a lot longer before they EOL their releases.

i've had this arguement with openbsd people before. what it comes down to is openbsd is their toy and they like constantly updating rather then doing mundaine shit like patching old versions.

all well and good, it's their project they can do as they please, but don't pretend that it's a superior server OS, because it simply doesn't cut it if you don't have patch support after just 12 months. there's plenty of secure systems with more features and longer EOL's that make openbsd more trouble then it's worth.

You can get it, install it and have it - and all the applications you are likely to need - running in 40 minutes, for nothing! (on a 450MHz processor), and quite possibly need only another 40 minutes maintenance, with no reboots, in the next two years. Any scripts you write will probably run on future versions for the next 10 years without modification. It is by far the lowest maintenqance infrastructure you can get in the long term